Personally, I'm wary of ideas like software engineers facing unlimited personal liability like hardware engineers, because computer science just hasn't advanced to a point where we can say with confidence that any non-trivial piece of code works correctly (or even define what that means).
However, I do think there needs to be some serious financial penalties for companies like LG, Samsung, D-Link, etc., who ship flagrantly insecure firmware that in many cases is uneccessary, is almost never supported for anything like the realistic lifetime of the device, and where it is clear to anyone with industry expertise that they have demonstrated a negligent lack of basic competency.
For example, back in 2007 it might have been acceptable to store passwords as salted MD5. Nowadays, not good enough. Any hardware made competently then might have used a salted MD5 password store. Fine. But really, patches should be provided for at leat 10 years and those patches should bring firmware into line with the current state of the art. Thus I think it would be reasonable to sue a hardware manufacturer for a device made in 2007, still in service in 2017, which cannot be updated to have better password security than salted MD5.
It of course goes without saying that things like default passwords (admin:admin etc) should be considered outright unacceptable in any network-enabled consumer device.
Obviously we can't hold device manufacturers liable forever, nor can we expect NSA-proof levels of security, but I think it is reasonable to hold all hardware to a standard of "basic competency" for at least 10 years from the date of manufacture. The standard warranty period of 1-2 years is not sufficient.
There is at the moment a serious risk/reward imbalance where it makes financial sense to ship "features" (even if nobody asked for them) at the expense of security, because the subsequent issues are someone else's problem. This is bad for device owners and bad for society as a whole, since compromised devices are commonly used for DDOS attacks, sharing child porn, etc.
If device manufacturers knew there were serious financial consequences and that all features must be kept secure for 10+ years, they would certainly be more interested in making things modular and reducing potential attack surface areas than they are now.
I agree 100% -- but you outlined the problem yourself by using the phrase "suing the companies".
Consumers cannot and will not do that. It takes time, it takes money, and a company can drag it on forever and just exhaust you financially or psychologically. IMO the justice system's rules on "citizen vs. company" needs an overhaul, badly, for quite a long time now.
I should be able to call Samsung in court and have my interests protected in one week. Does this happen right now? No. I can't see any hope for the future in this regard.
There's no real punishment for companies being sloppy. One might think the capitalistic market would auto-correct things by people flocking to competitors, right? But I find this to not be the case; as you and others in this thread have pointed out, it's becoming harder and harder to buy non-smart TVs. Every OEM seems to be in the same dirty bed with everybody else, and the poor security becomes more and more excusable by "but everybody else does it too!" with each passing day. And we as consumers practically have no choice. You want the best picture quality on the market? Sorry, it comes with a lot of software (requiring internet connection) that you never asked for and you won't ever need.
Furthermore, governments are by default awfully incompetent to help with issues like these. Even if we assume zero company lobbyists, most governments simply have no idea what is the problem at all, let alone take any measures. I hope I am wrong, though.
Sorry if this is too pessimistic but quite frankly, I can't see any reason for hope at this point.
> Consumers cannot and will not do that. It takes time, it takes money, and a company can drag it on forever and just exhaust you financially or psychologically.
Yeah... but large lawyer companies are more than willing to fight on the behalf of consumers doing class action lawsuits for the little guy. On the behalf of you and me.
As in, they be-having all the rewards after lawyer fees get paid on the win.
For reference, don't forget to get your $9 if you are a PS3 owner. (the situations aren't the same... but it is an example of "That's not worth it for 'individuals' to sue... but big company gets sued and loses anyways)
I assume they are everywhere, but this is just "standard operating procedure" in the US.
Look up anything that happens to a group of people - PS3 features being removed, salmonella in food, Microsoft forcing updates on Windows 10, Samsung batteries exploding, etc.
Look for anything that's affected a lot of people... and then watch as a lawyer or group of lawyers kicks up a class action lawsuit.
However, I do think there needs to be some serious financial penalties for companies like LG, Samsung, D-Link, etc., who ship flagrantly insecure firmware that in many cases is uneccessary, is almost never supported for anything like the realistic lifetime of the device, and where it is clear to anyone with industry expertise that they have demonstrated a negligent lack of basic competency.
For example, back in 2007 it might have been acceptable to store passwords as salted MD5. Nowadays, not good enough. Any hardware made competently then might have used a salted MD5 password store. Fine. But really, patches should be provided for at leat 10 years and those patches should bring firmware into line with the current state of the art. Thus I think it would be reasonable to sue a hardware manufacturer for a device made in 2007, still in service in 2017, which cannot be updated to have better password security than salted MD5.
It of course goes without saying that things like default passwords (admin:admin etc) should be considered outright unacceptable in any network-enabled consumer device.
Obviously we can't hold device manufacturers liable forever, nor can we expect NSA-proof levels of security, but I think it is reasonable to hold all hardware to a standard of "basic competency" for at least 10 years from the date of manufacture. The standard warranty period of 1-2 years is not sufficient.
There is at the moment a serious risk/reward imbalance where it makes financial sense to ship "features" (even if nobody asked for them) at the expense of security, because the subsequent issues are someone else's problem. This is bad for device owners and bad for society as a whole, since compromised devices are commonly used for DDOS attacks, sharing child porn, etc.
If device manufacturers knew there were serious financial consequences and that all features must be kept secure for 10+ years, they would certainly be more interested in making things modular and reducing potential attack surface areas than they are now.